Encryption is a Digital Right…and Creates Responsibilities

December 21, 2016

Tim Conway, Director Asia-Pacific, Global Digital Foundation

Privacy and security have been central to communications since antiquity. A King of Miletus once tattooed a message to the shaved scalp of a servant and sent him off to deliver it once his hair had grown back.

Since then the business of privacy has grown ever more inventive, making use of many kinds of security devices such as seals, locks, codes and cyphers to protect information.

Today, digital communications rely on security technologies, in particular encryption, to underpin trust and confidence. Use of these technologies, especially encryption, is regarded as a digital right. However, as with all rights, they come with responsibilities including the responsibility to observe and obey the rule of law.

The need to protect information is critical in the digital age. Technology allows people to do much of what they once did manually via a computer: buy and sell; sign documents; transfer money, for example. Doing so safely relies on what is called the the triad of information security: confidentiality, integrity and availability.

The traditional concepts of privacy and security now equate with trust and confidence. These concepts underpin the development of usable, dependable digital communications. That’s why they have been top of mind ever since the early evolution of “e-commerce” and “e-government”.

Over the past decade, mobile devices have proliferated and are already central to our personal and professional digital life. Their importance will only increase in the future as technologies such as the Internet of Things, autonomous devices and services, and robotics become commonplace in business and government. They already support many of our personal and social needs.

Today, with 3.5 Billion people online, privacy and security are widely viewed as a given. People assume they can have trust and confidence in their Internet exchanges.

Some types of information need a higher level of protection than others. Higher protection categories include:

Personal data, for example, defined as information that identifies us, our personal issues and relationships, our financial and medical status, and anything else that is intimate to us; and

Business or organisational data, which can include financial information including transaction flows, employee records, strategic information that is, or may be, of competitive advantage, as well as all the information entrusted to organisations by customers, citizens or users that is specific and intimate to them.

The Internet means most of this information flows through public networks as communications, transactions or for cloud storage. Developers and users of digital innovation are thus together bound to do all they can to ensure that trust and confidence is maintained.

Encryption, in combination with access control, has thus become the principal information security technology.

Governments – globally – are the first among many equals for whom the security and protection of critical information is of paramount importance.

Of course, it is no coincidence government agencies charged with maintaining the protection of that critical information seek, for their own purposes, the strongest and most secure forms of encryption from digital suppliers to ensure the confidentiality, integrity and availability of their information.

Equally, the Internet is an acknowledged vector for crime and malevolence:

Emails “phish” for identifying data and information to enable fraudulent access to systems such as electronic banking;

Systems themselves can be hacked due to poor access controls, weak passwords or other vulnerabilities;

Criminals aren’t the only source of malevolence. Terrorists (however defined) also use the Internet, so security agencies want access to information they have or communicate; and

ICT systems themselves can be a source of malevolence, when they are taken over for the propagation of malware or routing of denial-of-service attacks.

Crime detection and prosecution require evidence; law enforcement agencies now naturally seek access to digital information on devices and services used by the perpetrators. But the advent of the digital age does not mean we, as a society, have diminished our respect for the rule of law: indeed, the rule of law remains central to maintaining our privacy, trust and confidence. Hence we demand perpetrators are brought to justice, and strongly support law enforcement, where access to information is sought under due process in the pursuit of justice, to prevent crime or terrorism.

Therein lies the double-bind in our, now digital, society:

Because of perceived and real threats to our information privacy, we continuously seek new security technologies such as stronger encryption tools from developers of digital innovation, which we wish to configure to meet our needs;

In so doing, we make it harder for law enforcement and security services to detect and prosecute malevolent activities;

Digital innovators – developers and users – are confronted by a serious conundrum: should developers undermine the former to enable the latter?

The only logical answer is no.

Why? Because this, paradoxically, weakens everything.

Strong encryption means the trillions of daily transactions globally are handled safely and confidentially, maintaining the privacy and integrity of the information transacted.

A government or judicial mandate to weaken this via “backdoor” decryption capabilities, even on one device or system, necessarily weakens all devices and systems – including those of governments.

The inherent propagative nature of networked digital technologies means such vulnerability cannot be limited to a single device or system, a single criminal or terrorist, or, indeed, a single government.

Documented experience with the propagation of malware, of vulnerabilities – indeed, the growing commercial trade in “zero day” defects – shows this to be the sad truth. The mere existence of a decryption capability undermines essential trust and confidence. The consequences of this are devastating.

As a digital society, we should not accept or support the development of “backdoor” decryption technologies.

The subsequent device and system vulnerabilities would make the world a much less safe place.

They undermine trust and confidence, with serious economic and social consequences;

Even those countries and societies that place less emphasis on personal privacy will have other vital information assets exposed and stolen.

That does not mean we, as positive contributors to digital society, should oppose the rule of law, or of lawful access to systems according to due legal process. It means the law itself and its processes must adapt; there must be closer dialogue and cooperation with and between governments and law enforcement agencies. Just as everyone has a right to ensure and maintain the privacy of their information, there is an equivalent responsibility to assist in prevention, detection and prosecution of malevolent activities. However, this responsibility cannot allow us to condone actions the consequences of which make everything weaker and more vulnerable to those very malevolent activities.

END

Views expressed in this article are those of the author and not those of the Global Digital Foundation which does not hold corporate views.